Now, spending time with VIRL, VIRL is not able to do Frame Relay interfaces which is miserable in itself as who uses Frame Relay anyways. So, to facilitate using Frame Relay, I’ve had to back out to GNS3. THEN – I find that Hyper-V (enabled for Docker Desktop) and VMware Workstation for running the GNS3 VM are mutually exclusive. So, it seems the GNS3 VM running on the same host – at distance – as the host that I’ve got for VIRL seems like the right ticket. I’ll update here as I play it out. It seems a chap has found his own way of running Docker without requiring Hyper-V, but using VMware Workstation.

Out of all the 300-xxx exams, I’ve chosen the Route 300-101 exam because;

I deal with Layer 3 the least on a day to day basis

IPv6 re-education and/or update

Given I currently work least with routing protocols, the Route 300-101 feels like a really good choice for me and I’m really looking forward the challenge rather than working with relatively familiar Layer 2 technologies. I’m also concious it’s 2019 and the Route 300-101 has been around for quite some time. With that in mind, I’m not going to commit to booking the exam until July 2019 and whatever is the current version of the CCNP Layer 3 exam, then, I’ll commit to taking in September 2019.

The Lab for the Route exam will be everything. There’s a few choices to be made in 2019 for working with your lab;

Physical Lab

I’ve owned a physical lab in the past for my original CCNA and CCNP exams. It’s costly – even when buying second hand, requires its own troubleshooting, power and space. That being said, once it was setup, the INE CCIE workbooks made it great to operate. In an age where a great deal of our world is virtualised, I’ve little appetite for going through months of eBay purchases of routers, switches and ancillary devices again. Physical is definitely the least good option here.

Cisco VIRL

I tried out Cisco VIRL a few years back and I wasn’t bought into it. It had a bad reputation and still carries that with it. Since then, the VIRL team have ironed out some big criticisms. The installation process is now trivial. There’s no need to use VM Maestro any more. Aswell as the long standing API, HTML and CLI operations are now possible. VIRL does have a learning curve which is slightly higher than GNS3 and is also has pay-for annual license. Hold on though. Cisco VIRL is available on Cisco DevNet – FREE. All you need to do is register with Cisco DevNet. If you’ve already got a Cisco CCO account you’re already able to access DevNet with that.The software available to simulate on DevNet is ;

IOSxrv 9000 (6.5.1)

NX-OSv 9k (9.2.2)

CSR1000v (16.9.1)

IOSv (15.7.3)

These software images can be deployed with the following topologies, pre-configured in the sandbox ;

8 nodes datacenter

2 ios router

9 router mesh

extranet

Free and legal is a really low barrier to entry. And if you get your head round it, the annual Personal Edition license becomes less onerous, running it on your own tin or on Packet.

If you’d like some topologies https://github.com/virlfiles contains some pre-baked topologies to get you going. With OpenStack being the orchestrater running on top of Ubuntu, you can run any appliance or VM you desire as long as they are imported as KVM images. Aren’t happy with the appliances in VIRL? Import one. If you’re familiar with Vagrant, VIRL has a devops style CLI available called virlutils built in Python to help code the entire build up configure, verify and teardown process of your environments.

EVE-NG

EVE-NG is the least familiar to me but has gained interest and support in the networking community. It’s free – assuming you can work in the grey area similar to GNS3 of using proper IOS images to inject into the platform. After spinning it up briefly, I felt the learning curve was a bit much considering I’d already invested time into VIRL and with my conclusion to follow, you’ll see why I chose to leave EVE-NG behind.

GNS3

Finally GNS3 which is well used and known by many engineers but has the grey area around legitimate use of images on the software. My experience with GNS3 this time round is that it’s come on leaps and bounds and should be seriously considered if you’re running your simulations on your laptop or desktop computer.

Conclusion

GNS3 – If I were to learning on one device and not in different locations with different devices, I would have chosen GNS3, but this time round it’s my second choice.

EVE-NG – Unfamiliarity, learning curve and grey legal use of the image files were the basis on third place in this table.

Physical Lab – In 2019, there’s really no need for the physical lab and it shouldn’t be considered. There’s a fringe case to have a single switch kicking around for some PoE operations, but that’s about it.

In 2019, i’m still staggered that an archive feature available in Cisco IOS isn’t available in Cisco ASA code.

That being said, it’s possible to craft some code to take the edge off Cisco ASA devices which may not normally receive frequent administrative attention.

Embedded Event Manager is your friend in this case. A generic use case for EEM can be found here.

In this case though, I want a backup that’s written to an SFTP server infrequently. I would prefer a weekly backup, but in the case of the EEM absolute timer parameters, the only choice is the hh:mm:ss format, so daily it is.

Configure bypass options;

Configure trusted IPs;

The feature is available with the full version of Azure Multi-Factor Authentication (Azure AD P1/P2 SKUs), and not the free version for Global Administrators. This feature only works with IPv4 addressing as of January 2019.

Configure verification methods;

Nothing to do with Microsoft and their MFA service, but more for all services. Do consider that the tech community at large no longer considers text messaging as an okay verification method. The ability to compromise service providers SS7 protocols is widely known. Hardware tokens or smartphone apps like Microsoft, Google, LastPass or DUO authenticators are the most appropriate choices.

Manage role-based access control (RBAC);

Implement RBAC policies;

Assign RBAC Roles;

Create a custom role;

Duplication! See below.

Configure access to Azure resources by assigning roles;

Duplication! See below.

Configure management access to Azure;

Duplication! See below.

Manage role-based access control (RBAC)

Owner is a powerful role in Azure RBAC. The key thing is that Owners can also grant further access to a resource they are Owners of. This probably isn’t great for you as the person administering the Azure tenant. As a Global Administrator, I would suggest it’s much more likely that you’ll be choosing the Contributor role for granting access to resources. It lets you manage everything except access to the resource.

Configure management access to Azure;

It’s difficult to see a great deal of value in this objective. I think it’s still here because the policy forcing all Azure Administrators through MFA is not yet default and until that time it’s useful to know how to configure management access to Azure.

Something that’s not part of the exam objective, but is pertinent, is the “break glass” accounts you should have setup for your Azure tenant.

May include but not limited to:Enable PIM;

PIM requires you to purchase Azure AD P2 or EMS E5 (which is a bundle which includes AAD P2) licenses for all the users which need to use PIM.When enabling PIM, the Global Administrator that enabled PIM is the only user in the tenant who has PIM configuration access. It’s therefor critical that immediately after enabling PIM that you at least make all other Global Administrators eligible to be PIM administrator or assign them the role permanently. Again, though not an exam objective, consider your two “break glass” accounts to ensure you don’t lock yourself out of your tenant.

Implement Advanced Virtual Networking 30-35%

John Savill has a fantastic course on designing an Azure Networking Strategy here. I hold John in high regard and would recommend any of his courses.

Before approaching the following two load balancing objectives, I recommend giving this a read.

Implement application load balancing

Regarding the Application Load Balancer and Load Balancer, I find it useful to draw parallels bettween these features and the HAProxy project.

HAProxy can get involved in TCP and HTTP flows. The HTTP mode draws parallels to the Azure Application Gateway. The TCP mode to the Azure Load Balancer. There’s not feature parity, but for sake of discussion, these are my analogies from HAProxy to Azure services.

May include but not limited to:Configure Application Gateway and load balancing rules;

The application gateway pricing can be found here. It has a per-hour charge depending on the type (size), nominal data processing and outbound data charges.

The application gateway relies on being deployed in a subnet in a VNet. The VNet doesn’t have to be one of your existing VNets. You can craft a unique VNet for the sole purpose of hosting the Application Gateway. But, if you intend serving data from Virtual Machines or Scale Sets in an existing VNet, the Application Gateway must be in the same VNet as those resources. Using either a new VNet or existing, the subnet used for the Application Gateway should be an empty subnet or a subnet with no other resource types besides Application Gateways.Each V1 (V2s scale slightly higher but are in preview in Jan 2019) Application Gateway, standard or WAF (Web Application Firewall) can be between one and seventy five VMs (instances). Your subnet should be big enough to cope with each Application Gateway or Gateways and any private frontend IP addresses you’re might choose to deploy.

Manage application load balancing;

Implement Azure load balancer

May include but not limited to:Configure internal load balancer, load balancing rules, and public load balancer;

The Azure Load Balancer pricing only applies to the standard SKU, the basic SKU is free. But the features on basic are a little dissapointing.

Internal Load Balancer;

To make use of the Internal Load Balancer, you first need to talk about the constructs it can back off to. The basic SKU can only back off to Availability Sets, VM Scale Sets and a single VM. The standard SKU does things more as you’d expect.

Public Load Balancer;

For me, a key thing to mention is that you must whitelist traffic in any NSGs associated with VNet Subnets and/or IaaS VMs Network Interfaces which are in the path of the flow from the Load Balancer (perceived from their perspective as the Internet) to IaaS VMs on the port the Load Balancer is sending traffic to.

You could also stand up a connection monitor from an IaaS VM to an on-premises VM endpoint. This is dependent on the Azure Network Watcher Extension being installed and available on the source IaaS VM.

Use network resource monitoring and Network Watcher;

Network resources? I guess this could count as using a connection monitor instance to monitor to/from a couple IaaS VMs Network Interfaces? Strictly speaking an Azure Network Interface is a resource, and subsequently a network resource. Sorry I can’t bring more clarity on this one.

Manage external networking and virtual network connectivity;

Integrate on premises network with Azure virtual network

May include but not limited to:Create and configure Azure VPN Gateway;

From a real world perspective, I’ve operated an Azure Virtual Network Gateway on the “VpnGw1” SKU to an on-premises Cisco ASA running the latest ASA code. My experience wasn’t that pleasant in that we lost VPN connectivity a few times and that forced my hand into considering a Network Virtual Appliance (NVA). We now run a Cisco ASAv10 in Azure with a better track record. The VPN on the Azure side has remained stable with our on-premises ASAs causing us more trouble than the ASAv in Azure, now.

Create and configure site to site VPN;

The exam requires you to understand Azure’s own Virtual Nework Gateway (VNG) offering. This exam doesn’t cover any of the Network Virtual Appliances (NVAs) that are in the Virtual Machine marketplace and can be used instead of the VNG, such as Cisco ASAv/CSRv (BYOL) and PaloAlto VM-Series Next Generation Firewall (BYOL). The Azure VNG is a pair of VMs for high availability that are spun up and invisible to you in the portal, abstracted away into the VNG resource. Whilst it’s possible to use a /29 “GatewaySubnet”, you should choose a /28 or /27 to support the possibility you may choose Azure ExpressRoute at a later date.Do not apply any Network Security Groups to the “GatewaySubnet” resource.

Configure Express Route;

ExpressRoute is available because in comparison to Site-to-Site VPNs, it offers;

Consistent latency

Predictable performance

An SLA

Redundancy

Higher throughput options (9Gbps maximum)

It doesn’t use the Public Internet to pass your internal traffic to the Azure Virtual Networks, so there’s no IPSec involved in the flow.

Whilst I understand that there are organisations that might choose Express Route because of scale (attaching ExpressRoute to your existing MPLS cloud has benefits) or some other largesse, my steer, if you need access to Azure Virtual Networks, would be to use Site to Site VPN constructs using either the Azure VPN Gateway or Network Virtual Appliances (NVAs) where ever possible.

Verify on premises connectivity;

My belief is that both these exam objectives assume you’re using Azure Virtual Network Gateway or Express Route to connect your on-premises network to Azure.

If you are to use Network Performance Monitor for your ExpressRoute circuits, a pre-requisite is to have Azure Log Anaylytics extensions installed at both the on-premises site and the Azure tenant in which the ExpressRoute circuit terminates to generate data for OMS to report on.

Manage on-premises connectivity with Azure

This could mean either the Azure VPN Gateway or ExpressRoute. ExpressRoute is basically impossible to replicate in your own Azure tenant unless you have your organisation running ExpressRoute into your Managed WAN or on-premises environment.

Implement and manage application services (20-25%)

***WARNING*** AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here***WARNING***

My background as an IT professional is infrastructure. With that in mind, the intention in this post is to help others with a similar background evolve their understanding of the PaaS or Serverless computing services in Azure.

I’ll start with a comparison of Azure Functions and Logic Apps from codit.eu

“A popular comparison states that Azure Functions is code being triggered by an event, whereas Logic Apps is a workflow triggered by an event. This is reflected in the developer experience. Azure Functions are completely written in code, with currently supports JavaScript, C#, F#, Node.js, Python, PHP, batch, bash and PowerShell. In Logic Apps, workflows are created with an easy-to-use visual designer, combined with a simple workflow definition language in the code view. Each developer has of course his/her personal preference. Logic Apps is much simpler to use, but this can sometimes cause limitations in complex scenarios. Azure Functions gives a lot more flexibility and responsibility to the developer.”

Azure Logic Apps took its inspiration from the on-premises tool “BizTalk Server”. Up until this point of my career, I’ve never known what BizTalk Server was intended for. Logic Apps operates in a similar iPaaS (Integration Platform as a Service) market space as Dell Boomi and Mulesoft. How well the Microsoft serverless applications perform compared to others, I can’t judge. All said, Logic Apps is Microsoft’s offering in the iPaaS market. If you listen to Steef-Jan Wiggers, he reckons it’s doing alright.

If Logic Apps as described above by codit.eu abstract the code away from Function Apps by using a visual designer, Microsoft Flow takes that one step further and provides Software as a Service on top of Logic Apps. Flow operates in similar product space to ITTT, but with the ability to leverage Microsoft’s On-Premises Data Gateway.

Bringing it back to the exam subject matter, to allow your Azure Serverless applications to communicate with each other and pass data around, you can make use of the Azure messaging services; Azure Event Grid, Service Bus, and Event Hubs.

Another comprehensive article about when to use Azure Functions or Logic Apps is available on DZone.

Before we dive into the exam objectives, I’ve switched round the order that I approach them because it made more sense. Creating Azure Functions before the App Service Plan doesn’t feel like the right way round.In the exam the learning matter is listed;

Configure serverless computing

Manage App Service Plan

Manage App Services.

To facilitate a more natural progression, I’ve listed the objectives;

Manage App Service Plan

Configure serverless computing

Manage App services

Manage App Service Plan

Azure Functions run inside/on top of App Service Plans (as do many other App Services). App Service Plans are collections of Virtual Machines which are abstracted away from you creating a Platform as a Service (PaaS). The plan tier determines the resources available and billing constructs associated with those resources, so you can get on and drop your app or code into Azure.Azure Logic Apps do not run in App Service Plans and are billed on a consumption model which is based on connectors and integration accounts.

A guiding factor in these App Service Plans is the ACU or Azure Compute Units. You should choose the right plan for you with sufficient compute units and features to achieve your outcome. For exam objectives the S1 tier is the cheapest tier because of the later feature requirements covered in “Manage App Services”.

May include but not limited to:

Configure application for scaling;

Scaling up (larger VM) versus scaling out (more of the same VMs) is the choice you need to make for scaling, for your scenario.

Then you have both a VS Code and Visual Studio guide for managing the Logic App. This seems like a poor choice to me as Logic Apps lends itself less towards the “developer experience” and more towards a graphical workflow.

Manage Azure Function App settings;

There’s only one mention of Function Apps in these objectives, but do not underestimate the requirement for understanding them. Here’s an old but great use case of Function Apps by Troy Hunt.

Function Apps are created from the Azure Portal, by choosing either “Create a Resource” or “App Services” and choosing “Serverless Function App”. You can’t visit the Function App blade and add a Function App from the blade, strangely

To move data in and out of your Function App using FTP or FTPS, within your Function App, from the Function App blade, navigate through;

Platform Features | Deployment Center | FTP | Dashboard

You are then presented with your FTPS endpoint, app credentials and user credentials for moving content to/from the Function App using FTPS with a client like WinSCP.

Manage Event Grid;

Event Grid pricing, like Logic App pricing, is based on a consumption model.For Event Grid, the first 100,000 operations per month are free.

There are five concepts in Event Grid that get you going, with the bold items being the Event Grid services you configure in Azure.

Events – What happened.Event sources – Where the event took place.Event Topics – The endpoint where publishers send events.Event subscriptions – The endpoint or built-in mechanism to route events, sometimes to more than one handler. Subscriptions are also used by handlers to intelligently filter incoming events.Event handlers – The app or service reacting to the event.

Manage Service Bus;

Azure Service Bus is another consumption based pricing model. There are certain volumes of use which are included in the base price, and then tiers of charges thereafter.

Manage App services

May include but not limited to:

Assign SSL certificates;

SSL Certs are charged per year, per domain. For four times the cost, you can choose a wildcard certificate.

For me, assigning an SSL cert makes the most sense if you’ve configured a custom domain. Please Microsoft, can you develop your services take advantage of LetsEncrypt? It feels like rent extraction of a captive audience that certificates cost money in the Azure portal. Delivering HTTPS everywhere is a solved problem. Please?!

Configure application settings;

There’s absolutely no guidance about which settings are pertitinent to the exam, but knowing things like Java is mutually exclusive to the other frameworks, 64bit is only available in the paid tiers, and knowing how to configure the default document settings, seems important.

Manage App Service protection;

You can protect access to your Web Apps very easily by choosing Azure Active Directory as your identity source. Google, FB etc, don’t look tough either as they are all choices in the turnkey Authentication/Authorisation service blade.

Manage roles for an App service;

Create and manage App Service Environment

It’s weird this objective comes under “Manage App Services”. I can’t think why it isn’t under the first subject in this post “Manage App Service Plan”. Anyway. App Service Environments (ASEs) are for when things get serious. You could be subject to governance that determines that you must run your workload in an isolated environment with worker VMs that are in no way shared with other Azure customers. ASEs can have Virtual IPs that are Internal or External. The language is that “Isolated” App Service Plans and ASEs are the same thing. Currently if I choose an App Service Plan and select Isolated as the pricing tier, I’m told that’s not supported. I’ve tried multiple regions and OSs but can’t select Isolated. My take is that you get the outcome intended for the Isolated App Service Plan tier from going through the ASE blade and choosing the External Virtual IP.

ASEs, like VPN Gateways and Application Gateways require their own subnet. Having spent the time authoring these AZ-10x posts, it now seems critical that one understands upfront that there’s quite a few scenarios where single use subnets are required for Azure services. Don’t make your Azure VNet a /24 address space!

***WARNING*** AZ-100, AZ-101 and AZ-102 are all ceasing in favour of the AZ-103 single exam. See the link to the new exam syllabus – here***WARNING***

After a friend on Reddit posted the recent Ignite video for the AZ-100 exam, I went looking for the AZ-101. As before, it would be a good idea to start here and hear from the horses mouth before starting on your journey.

Also, please consider this guide from Skylines Academy for your PowerShell skills to bolster your competency on Azure and for the AZ-10x exams.

Evaluate and perform server migration to Azure (15-20%)

From an Azure service perspective, this module is three services; Evaluate = Azure MigratePerform = Azure Site Recovery into an Azure Recovery Services Vault

Azure Migrate does the cost and technical analysis about how much your invoice for the workload will be once it’s in Azure and whether the chosen workloads are compatible with Azure.Azure Site Recovery is the (source) which is used to protect the workload and facilitate the migration piece, which is a failover operation executed from the Recovery Services Vault (destination) blade which never fails back to the source site.

Evaluate migration scenarios by using Azure Migrate

Azure migrate is focused on analyzing workloads for migration into Azure and is currently constrained to VMware vSphere analysis. Azure Site Recovery Deployment Planner is used for other workloads.

As I write this, I cannot see any PowerShell that drives Azure Migrate using the AzureRM module. The new AZ module may include commands but for the exam in the early part of 2019, I don’t believe the AZ command set will be in scope, yet. See the AzureRM to AZ annoucement here.

Identify workloads that can and cannot be deployed;

Recent changes to Azure Site Recovery allow Windows 2012R2 and later VMs that are using a UEFI boot type to be converted to BIOS as part of the migration. Sadly though, everything else is still unsupported if the VM boot type is UEFI, for now.

Setup domain accounts and credentials;

Migrate servers to Azure

Recovery Services Vaults provide data services for protection and recovery. Azure Site Recovery, which gets deployed in the environment where the workload resides, includes technology that was part of an acquisition by Microsoft in 2014.

May include but not limited to:

Migrate by using Azure Site Recovery (ASR);

There are many PowerShell commands for the Azure Site Recovery service. The current module for the AzureRM seems to be AzureRM.SiteRecovery.